Project

General

Profile

Feature #12402

Research what two-factor-authentication (2FA) solution (if any) is worth installing by default in Tails

Added by sonicsnail over 2 years ago. Updated over 1 year ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
03/25/2017
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Yes
Affected tool:

Description

During the September 2017 monthly meeting we decided that the landscape of 2FA is still too fragmented for us to take the decision of including tool X or Y by default in Tails.

So we reframed this ticket to research all possible solution and hopefully spot "the perfect one". By then we'll also have a better idea of whether we want to include it in Tails by default or make it available through Additional Software, advanced documentation, etc.

Original description:

Yubico Authenticator lets you use a Yubikey for generation of TOTP/HOTP two factor authentication codes. Secret material is stored write-only on the Yubikey, and codes are generated by the Yubikey hardware and then displayed in the authenticator application, making it secure because the secret material can't be read. More info at https://developers.yubico.com/yubioath-desktop/

The package "yubioath-desktop" is already in Debian Stretch, it works in Tails 3.0~beta3 and depends on the following packages:
libjson-c3 libpyside1.2 libshiboken1.2v5 libykpers-1-1 libyubikey0 python-click python-colorama python-crypto python-pyscard python-pyside.qtcore python-pyside.qtgui python-pyside.qtnetwork

Total size of packages is 3,814 kB.

History

#1 Updated by intrigeri over 2 years ago

  • Assignee set to sonicsnail
  • QA Check set to Info Needed

#2 Updated by sonicsnail over 2 years ago

intrigeri wrote:

Any specific reason why https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html#additional_software is not suitable for this?

I can think of a bunch of reasons:
  • Tails should come with a two-factor auth solution built-in for the same reasons it comes with a password manager built-in: to encourage better security practises in users. It's up to users to actually use the apps, but if they do they'll be safer. More people should be using two-factor auth and we should be encouringing it. The implementation of Yubico Authenticator is solid due to the fact that it stores secrets non-readable in the Yubikey's TPM.
  • FIDO U2F authentication isn't possible in Tails or Tor Browser right now, and it probably won't be for a long time -- see issue #11565. Yubico Authenticator is the next best thing for securely doing two-factor auth.
  • Personally, I want to use Yubico Authenticator in Tails but I'm reluctant to enable persistence features on a platform that's meant to be amnesic. I want to use the app without having to unlock the persistent volume. I know there are others who have a similar attitude about persistence.
  • There is an "audience" for it. There are Tails users who already have Yubikeys and who therefore might find this app useful, even if they aren't aware of it yet. We just need to put the app in front of them. Additionally, Tails users might be more interested in starting to use Yubikeys now that the PGP smart card feature will finally work out of the box in Tails 3.0 (see issue #11565).

#3 Updated by intrigeri over 2 years ago

Hi!

Any specific reason why https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html#additional_software is not suitable for this?

I can think of a bunch of reasons:

Thanks! I'd like to gather some more info before we can discuss this collectively.

  • Tails should come with a two-factor auth solution built-in for the same reasons it comes with a password manager built-in: to encourage better security practises in users. It's up to users to actually use the apps, but if they do they'll be safer. More people should be using two-factor auth and we should be encouringing it.

OK, then my next questions are:

  • What other hardware + software solutions out there satisfy the same need?
  • Do this other solutions require vendor-specific software to use them?
  • Why should we support this specific hardware+software combination, and not one of the other options?

My underlying concern is that this landscape might be fragmented enough that, to "encourage better security practises in users", we end up adding similar software to support 2-5 other 2FA solutions in our ISO image. If this is how the landscape looks like, i.e. it is similar to IM and crypto-currencies, then IMO we need to either ship none (and rely on Additional Software Packages), or choose a single one carefully (and then someone needs to help us choose).

  • Personally, I want to use Yubico Authenticator in Tails but I'm reluctant to enable persistence features on a platform that's meant to be amnesic. I want to use the app without having to unlock the persistent volume. I know there are others who have a similar attitude about persistence.

I see, and I understand the feeling. However, this argument works for any additional package one requests to be included in Tails by default, so we do have to take it with a grain of salt whenever there's the software in question doesn't actually need to be installed by default to work fine. (There are exceptions to this rule, e.g. software that's particularly relevant in air-gapped setups, which is not the case here.) Also note that some important upcoming security improvements (PRNG seed, Tor entry guards) will require persistence, so one should expect that using (limited) persistence becomes more and more the recommended way of using Tails.

  • There is an "audience" for it. There are Tails users who already have Yubikeys and who therefore might find this app useful, even if they aren't aware of it yet.

FWIW, https://qa.debian.org/popcon.php?package=yubioath-desktop knows about 71 installations of the package on Debian. That's a lot for a highly-specialized tool such as this one, and OTOH that's very little compared to the size of the Tails userbase (i.e. the people who will be affected negatively by the growth of the ISO and upgrades).

#4 Updated by sonicsnail over 2 years ago

intrigeri wrote:

What other hardware + software solutions out there satisfy the same need?

I found a few other tools for generating 2FA codes on linux systems, but I have to say there aren't many options:

The most common way of doing 2FA is with apps like Google Authenticator or FreeOTP that operate on smartphones independently of Tails.

I couldn't find any other software similar to Yubico Authenticator that integrates with hardware from other vendors. Hardware from Yubico's competitor, Trezor, only does FIDO U2F and has no similar TOTP/HOTP features.

Do this other solutions require vendor-specific software to use them?

No, the alternative solutions above aren't vendor specific. By "vendor-specific" you mean how Yubico Authenticator only works with Yubico's own hardware products.

Why should we support this specific hardware+software combination, and not one of the other options?

The other CLI solutions are software-only and involve storing the TOTP/HOTP secret keys on disk. Having secret keys on disk isn't exactly following the concept of "something you have" as a second factor because the secrets are stored in the same way as passwords, which are "something you know". Some of these programs don't even encrypt their databases of 2FA keys. In the case of OATH Toolkit, the app practically encourages users to copy/paste secret keys into the terminal, which is bad practise because now the keys are in the clipboard and are more likely to be accidentally pasted into unsafe places. Also, the lack of GUIs is a turnoff for a lot of users.

Smartphone apps like Google Authenticator and FreeOTP are relatively good. They operate on hardware/software that's isolated from Tails and they don't allow users to access the secret keys again after initial input. But smartphones are a financial investment for some users and they can still be pwned. Smartphones get pwned more easly than Tails. The apps are ultimately still software-only and store secret keys on the phone's disk.

Yubico Authenticator is unique and there are no other similar or competing apps from other vendors. It has a straightforward GUI, secret keys are inaccessible in the hardware TPM, it's very much "something you have" as a 2nd factor, and Yubikeys are relatively inexpensive compared to smartphones. From a security standpoint, Yubikeys are the safest place for storing TOTP/HOTP secret keys because the keys can't be extracted. While the app is vendor-specific, Yubico's product is a very solid solution for TOTP/HOTP 2FA.

My underlying concern is that this landscape might be fragmented enough that, to "encourage better security practises in users", we end up adding similar software to support 2-5 other 2FA solutions in our ISO image. If this is how the landscape looks like, i.e. it is similar to IM and crypto-currencies, then IMO we need to either ship none (and rely on Additional Software Packages), or choose a single one carefully (and then someone needs to help us choose).

I wouldn't call the landscape fragmented because there isn't much of a landscape at all. Mobile is a different story, but there aren't many 2FA apps for linux desktop. There's a shit show of CLI apps and then there's Yubico Authenticator. I'd suggest shipping either nothing or Yubico Authenticator.

FWIW, https://qa.debian.org/popcon.php?package=yubioath-desktop knows about 71 installations of the package on Debian. That's a lot for a highly-specialized tool such as this one, and OTOH that's very little compared to the size of the Tails userbase (i.e. the people who will be affected negatively by the growth of the ISO and upgrades).

Yubico primarily distributes the app as a tarball download from their site at https://www.yubico.com/support/knowledge-base/categories/articles/yubico-authenticator-download/. It doesn't say anything about the Debian package. So the Debian site probably isn't recording all the installs.

This is a cross-platform app. On https://play.google.com/store/apps/details?id=com.yubico.yubioath&hl=en it has "10,000-50,000" installs.

#5 Updated by intrigeri over 2 years ago

Thanks for all your answers! I think we now have all the info we need to make a decision, so I've added this topic to the agenda of our next monthly meeting :)

There's a shit show of CLI apps and then there's Yubico Authenticator. I'd suggest shipping either nothing or Yubico Authenticator.

OK, got it. I agree.

FWIW, https://qa.debian.org/popcon.php?package=yubioath-desktop knows about 71 installations of the package on Debian. That's a lot for a highly-specialized tool such as this one, and OTOH that's very little compared to the size of the Tails userbase (i.e. the people who will be affected negatively by the growth of the ISO and upgrades).

Yubico primarily distributes the app as a tarball download from their site at https://www.yubico.com/support/knowledge-base/categories/articles/yubico-authenticator-download/. It doesn't say anything about the Debian package. So the Debian site probably isn't recording all the installs.

I agree that Debian isn't recording all the installs: in particular, one can disable popcon. Still, I'm pretty sure that installing software from 3rd-party websites is waaaay less common among Debian users (especially when said software is available in Debian) than on operating systems that lack good package management: installing software this way is much harder (the Linux download you link to points to the source tarball, and then one needs to compile and install manually), and skilled + security conscious people, who are likely to be the ones using such software, are generally aware of the advantages of package managers (e.g. security upgrades coming for free). So IMO the amount of people installing from source is negligible vs. the total number of Debian users of Yubico Authenticator, and thus the popcon number is useful as a way to compare the popularity of one piece of software vs. another one, among Debian users. FWIW tails-installer has 480 registered installs, OnionShare has 91, mat has 337, and seahorse-nautilus has 633. All these are relatively niche software.

#6 Updated by intrigeri over 2 years ago

  • Assignee deleted (sonicsnail)
  • QA Check deleted (Info Needed)

#7 Updated by intrigeri over 2 years ago

  • Tracker changed from Bug to Feature

#8 Updated by u about 2 years ago

As the two latest meetings did not take place, this ticket is still on our agenda for the July meeting.

#9 Updated by u about 2 years ago

just fyi. while the software in Debian is Free Software, the Yubikey itself has closed source models, see https://en.wikipedia.org/wiki/YubiKey#Security-concerns_YubiKey_4_.28closed-source_code.29

#10 Updated by sajolida almost 2 years ago

  • Subject changed from Include Yubico Authenticator in Tails to Research what 2FA solution (if any) is worth installing by default in Tails
  • Description updated (diff)
  • Status changed from New to Confirmed
  • Priority changed from Normal to Low
  • Type of work changed from Discuss to Research
  • Starter set to Yes

During the September 2017 monthly meeting we decided that the landscape of 2FA is still too fragmented for us to take the decision of including tool X or Y by default in Tails.

So we're reframing this ticket to research all possible solution and hopefully spot "the perfect one". By then we'll also have a better idea of whether we want to include it in Tails by default or make it available through Additional Software, advanced documentation, etc.

#11 Updated by u over 1 year ago

  • Subject changed from Research what 2FA solution (if any) is worth installing by default in Tails to Research what two-factor-authentication (2FA) solution (if any) is worth installing by default in Tails

Also available in: Atom PDF